mod_auth_ldap
Stefan Hepp
I just hacked a version of mod_auth_ldap based on the one in the
prosody-modules repository, which can be found here:
http://scm.stefant.org/svn/tools/trunk/patches/prosody/mod_auth_ldap.lua
I am using ldap_search to find the DN of users, and ldap_bind to test
the password, which also works when userPassword is hashed.
Noticed two things:
I need to specify 'scope' for ldap-search, else the query fails
silently on my setup (I see a 'missing scope' message in strace but
nowhere else, and I have not found a way to get ldap-error-messages in
lualdap so far).
In core/usermanager.lua, function user_exists (line 77) I need to add
if not host or not hosts[host] then return false; end
else it tries to check for host e.g. 'conference.jabber.stefant.org'
which does not seem to have an entry in hosts, and in some rare cases
'host' and 'username' seem to be empty, which results in a stacktrace
in the log and no messages are delivered. No idea if this is a problem
due to my auth_ldap stuff or another bug in my prosody version.
I am using the prosody-0.8 debian package (version 1-1~nightly11) with
lualdap 1.1.0 on debian stable.
Regards, Stefan
Waqas Hussain
> Hello,
>
> I just hacked a version of mod_auth_ldap based on the one in the
> prosody-modules repository, which can be found here:
> http://scm.stefant.org/svn/tools/trunk/patches/prosody/mod_auth_ldap.lua
>
You also fixed a bug, which I have applied to the prosody-modules
version. Thanks:
http://code.google.com/p/prosody-modules/source/detail?r=ca6199d73d68dcffead55b4931590a3daaddc9c2
> I am using ldap_search to find the DN of users, and ldap_bind to test
> the password, which also works when userPassword is hashed.
Great. Send an hg bundle/patch here, or ask us in the Prosody room, so
we can get this into prosody-modules.
I see you create a new LDAP connection. Someone patched lualdap to add
a bind_simple() method to the ldap object:
http://prosody.im/patches/lualdap.patch
The intent for this module was to eventually both work this way, and
to provide added features when we have a non-hashed password
available. We can provide SASL DIGEST-MD5, SCRAM-SHA-1, etc, only when
we have access to a plain password.
> Noticed two things:
> I need to specify 'scope' for ldap-search, else the query fails
> silently on my setup (I see a 'missing scope' message in strace but
> nowhere else, and I have not found a way to get ldap-error-messages in
> lualdap so far).
We should get lualdap fixed then. I wrote mod_auth_ldap, but never
actually got around to testing it and any error cases.
> In core/usermanager.lua, function user_exists (line 77) I need to add
>
> if not host or not hosts[host] then return false; end
>
> else it tries to check for host e.g. 'conference.jabber.stefant.org'
> which does not seem to have an entry in hosts, and in some rare cases
> 'host' and 'username' seem to be empty, which results in a stacktrace
> in the log and no messages are delivered. No idea if this is a problem
> due to my auth_ldap stuff or another bug in my prosody version.
>
I'd like to see the trace.
> I am using the prosody-0.8 debian package (version 1-1~nightly11) with
> lualdap 1.1.0 on debian stable.
>
> Regards, Stefan
>
--
Waqas
Stefan Hepp
Finally got round to look into this again.
I updated the mod_auth_ldap module at (don't know how to upload files
here .. )
http://scm.stefant.org/svn/tools/trunk/patches/prosody/mod_auth_ldap.lua
It now works with prosody-0.8-rc1 without any patching of prosody, the
problems I had with the usermanager seem to be fixed now.
To use it, place the following in your prosody.cfg.lua
ldap_server = "servername";
ldap_base = "ou=People,dc=example,dc=org";
ldap_rootdn = "<admindn>"; -- optional
ldap_password = "<adminpw>"; -- optional
ldap_filter = "(authorizedService=jabber)"; -- optional
-- dont forget this one!
authentication = "ldap";
There are quite a few things which can be improved, like:
- More/better error handling?
- Make login-field configurable (instead of hardcoded 'uid')
- Optionally construct DN by given schema (like "uid=%s,ou=People,..")
to avoid first ldap_search if username defines the DN.
- Alternatively retrieve plaintext-password from ldap (by in plain()
handler instead of plain_text(), I guess) to support DIGEST, .. as you
mentioned above.
Maybe I will fix a few of the above points and create an hg patch for
it when I find some time..
Another nice feature for me would be to supply vcard user-infos (Name,
address,..) from LDAP, but I don't think that the auth-module is the
right place to do this (but any hints on how to implement such a
plugin are welcome ;) ), and there is also the non-trivial matter of
handling vcard-updates from the clients (deny/write back to LDAP/use
LDAP only as long as values are not changed by user ??).
Regards, Stefan
Matthew Wild
> Hello,
>
> Finally got round to look into this again.
>
> I updated the mod_auth_ldap module at (don't know how to upload files
> here .. )
> http://scm.stefant.org/svn/tools/trunk/patches/prosody/mod_auth_ldap.lua
>
Stefan has moved the file, it is now at
http://scm.stefant.org/svn/tools/stuff/trunk/patches/prosody/mod_auth_ldap.lua
.
To avoid future confusion, I've given the file a header and copied it
to http://prosody.im/files/mod_auth_ldap.lua
Thanks Stefan, and to the person who discovered the broken link :)
The plan is still to probably merge these modules (this one and the
one in prosody-modules), but our efforts are all on getting Prosody
0.9 released at the moment.
Regards,
Matthew
Stian B. Barmen
googl...@computerlyrik.de
The setup for the ldap auth part is described here [3]
See for the config templates used by the recipe.
I am using the default ldap port - so can not reproduce your issue.
Perhaps it is a problem with lua-ldap (or your specific installed version?)
Just guessing.
[1] http://www.getchef.com/
[2] https://github.com/computerlyrik/chef-prosody
[3]
https://github.com/computerlyrik/chef-prosody/blob/master/recipes/ldap.rb
[4]
https://github.com/computerlyrik/chef-prosody/tree/master/templates/default
